Professional Documents
Culture Documents
Table of Contents
Introduction
Copyright 2013 Cisco Systems, Inc. All rights reserved Trademarks Meraki is a registered trademark of Cisco Systems, Inc.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
Introduction
What is VPN?
Virtual Private Networks (VPNs) are used by most organizations seeking to provide teleworkers with pseudo on-site access to core network resources or to connect branch offices to a core network. VPNs are encrypted tunnels that allow for the secure, condential transfer of data across unsecured, public infrastructure typically, the Internet.
LOCATION 1
LOCATION 2
Network A 10.1.0/24
INTERNET
Network B 192.168.1.0/24
A1
A2
A3
B1
B2
B3
Site-to-site VPNs are deployed between the security appliances/rewalls at each location. The client devices (such as laptops or workstations) behind these rewalls do not need software installed or local settings congured to enable them to send or receive data with the other sites. In a mesh site-to-site VPN (also known as spoke-to-spoke), all of an organizations individual networks are connected to one another via VPN. In a hub-and-spoke topology, all of the satellite branch office networks (spokes) tunnel back to a central office (hub) over VPN; the spokes do not exchange data directly with one another.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
1.
MXs advertise their WAN IP addresses and any active NAT traversal UDP ports to the Cisco Meraki cloud. Device-to-cloud communication is encrypted twice: once via Merakiproprietary encryption and again using SSL.
2. Cisco Merakis cloud receives MX advertisements and public IP addresses. The dashboard receives the WAN IPs and NAT traversal information from the MXs, as well as their public IP addresses (which differ from their WAN IPs if the MXs sit behind NAT devices). 3. The cloud maintains a dynamic table to track all MXs in an organization. The WAN IP address, public IP address, NAT traversal port, and local subnets are tracked for every MX in an organization. When a new MX is brought online, its information is added to this table. 4. The appropriate IP address is chosen. For each MX, the cloud decides whether to use its WAN or public IP address to establish a secure VPN tunnel. When possible, an MXs WAN IP address will be used; this can provide shorter VPN paths between peer MXs (e.g. when multiple VPN peers are connected through MPLS to a primary data center, and from there, out to the Internet). 5. The VPN tunnel is negotiated. The Cisco Meraki cloud already knows VLAN and subnet information for each MX, and now, the IP addresses to use for tunnel creation. The cloud and MXs establish a 16-character pre-shared key (one key per organization), and a 128-bit AES encrypted IPsec tunnel. Local subnets specied in the dashboard by IT admins are exported across VPN. 6. VPN routes are pushed from the dashboard to MXs. Finally, the dashboard will dynamically pushes VPN peer information (e.g., exported subnets, tunnel IP information) to each MX. Every MX stores this information in a separate, static routing table.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
http://meraki.com
http://meraki.com
Cisco Merakis MXs and cloud negotiate VPN settings via Auto VPN.
That Auto VPN leverages the cloud in this unique, intelligent way means less manual conguration and time spent by IT admins to set up VPN tunnels between sites, and fewer opportunities to introduce human error into the process.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
Split tunnel mode will only send site-to-site traffic over the VPN, leaving other traffic (such as direct Internet requests) to be directed to its nal destination without needing to go through the secure VPN tunnel. In other words, email or le server requests between two offices would traverse the split tunnel VPN; a users request to view a website such as www.nytimes.com would not. Full tunnel mode directs all traffic through the secure VPN tunnel. So even a users request to view a web page will be encrypted and sent through VPN to a concentrator rst. 2. Decide VPN topologymesh or hub-and-spoke:
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
If conguring a mesh topology, ensure every participating MX has the Connect directly to all peers option selected. If conguring a hub-and-spoke topology, ensure that the hub MX is congured to mesh to all peers, while every branch (spoke) MX is congured to Connect directly to only one VPN peer (hub-and-spoke mode):
A teleworker site congured in a hub-and-spoke topology, tunneling back to the Meraki Corp - Appliance hub MX.
4. Click save in the dashboard Thats it! Youve now congured a split or full tunnel VPN in either a mesh or hub-and-spoke topology.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com
If you want to check the status of all the VPN peer MXs (or Z1 teleworker gateway appliances, which also support Auto VPN) in your network, you can easily do so from the Monitor >> VPN Status page in the Cisco Meraki dashboard. Status of each MX or Z1 is displayed, along with their exported subnets; latency and connectivity for each peer is checked every couple of seconds, providing a near real-time view.
Cisco Systems, Inc. | 500 Terry A. Francois Blvd, San Francisco, CA 94158 | (415) 432-1000 | sales@meraki.com